How to Install and Set Up OpenBSD

Posted on by Kyle Willett | Updated:
Category: Tutorials | Tags: OpenBSD, Tutorial
Reading Time: 4 minutes

OpenBSD is a free and open source, Unix-like operating system with a focus on security. It is based on the Berkeley Software Distribution (BSD). In this article, we will look at how to set up a simple OpenBSD server for purposes such as:

  • Webserver with HTTPD, Apache, or Nginx
  • Mail server
  • Firewall
  • Router

Pre-Installation Requirements

Here are a few requirements needed for this installation:

  • Access to plug-in physical media to the device.
  • A system without multiboot.
  • Ability to devote the entire hard drive to OpenBSD.

View the OpenBSD frequently asked questions (FAQs) for additional requirements.

Choosing the Right Version for You

A new version of OpenBSD is released every six months in the fall months and the spring months. Each version gets one full year of support with errata patches. These patches address security issues, bug fixes, and potential feature updates.

Preparing the Installation Media

The first task is to create the installation media.

Download and copy the appropriate .img file for the desired version to a USB drive. The files labeled miniroot is a web-based installation that downloads the required files over the Internet. Alternatively, files marked install contain all files necessary for installation.

Write the file to the USB drive using the dd command as the root user. Ensure your terminal is in the directory you downloaded the .img file to, and sdb is the name of the USB drive you want to write to.

dd if=./miniroot70.img of=/dev/sdb
Note:
For help checking how a Linux server or workstation recognizes the USB drive, use the dmesg command. Dmesg will show the kernel operation messages, including the most recently attached drive’s name. Write the installation image from macOS or Windows, alternatively.

How to Install and Set Up OpenBSD

Step 1: Boot From Installation Media

Insert the USB drive into the target server and boot to it from the boot menu.

Note:
Refer to the manufacturer documentation for boot instructions on the specific device.

Select Install from the main menu.

An SHA256 key that has checksums is in the directory containing the installation files. The checksums verify the integrity of the installation files, ensuring there is no data corruption. Next, cryptographically verify the image using OpenBSD’s program command, signify.

The install files do not have an SHA256.sig file, so select Yes at the prompt to proceed.

Note:
For a first-time installation, accepting the defaults to most prompts is recommended.

A single hard drive partition like a master boot record format (MBR) or GUID partition table (GPT) will be sliced into numerous BSD portions, almost identical to other partitions. The default partition slices are appropriate for most hard disk or solid-state drives over 20GB in size.

Step 2: Create a Standard User

A best practice is to create a standard user to avoid using the root user as much as possible. The user created during install time is automatically included in the staff class and granted extra resources, such as additional RAM per process. Invite the default user to the wheel and operator groups.

Step 3: Install OpenBSD File Sets

The OpenBSD development team strongly recommends installing all file sets, even if you do not think you need them. A set is a collection of files needed for a particular task, and some sets are mandatory, like BSD (the kernel) and base (the userland).

Others like the X11 set (the graphical user interface environment for Unix-based systems) are optional but may contain code some packages need to function. Skipped sets are automatically installed in future version installations of OpenBSD, hence the recommendation to install all sets now.

Step 4: Disable Root Login Over SSH

By default, sshd is enabled, and password-based logins are allowed for remote administration. Creating a new default user provides the option of enabling root login over SSH. It is common for servers to disable root login over SSH because attackers attempt to gain access using root.

Note:
You can make SSH more secure later by setting up key-based authentication.

Step 5: First OpenBSD Boot

Once the install is completed, the system should reboot and present you with a text login prompt (with X11 turned off) or a graphical login prompt.

If a network connection was established during installation, fw_update would run. It updates all firmware on the system and lists any patches you might need to install.

OpenBSD is secure by default, but regular updates maintain security. Use the syspatch command as root to install missing updates and patches.

OpenBSD sets up and configures a local mail system for the root user. The first message instructs them to read the afterboot man page. It is highly recommended to do so in order to acquaint yourself with the system.

Additional OpenBSD Information and Set Up

Text Editors

The default text editors are Visual (vi), new vi (nvi), and mg (an emacs clone). The root user can install the text editor of their choosing.

Service Control

OpenBSD uses the rcctl for configuring and controlling daemons and services. It is the recommended tool for editing, enabling, and disabling base system daemons and services. The rcctl command also helps set the services and daemons enabled and started at boot. 

For example, the following command will enable a service at boot. Change service_name to the specified service.

rcctl enable service_name

To start a service now, change enable to start as in the below command.

rcctl start service_name

The rcctl command has many other uses, such as setting flags for commands and checking the status of commands. The man page offers complete details and syntax for all command use cases.

Conclusion

This article walks through how to install and set up OpenBSD. The tutorial also goes through setting up users, patching the system, and performing basic system administration tasks.

Liquid Web offers many managed hosting options for your next project. Contact our sales team today for a consultation on the right fit for you.

kb-banner-lw-hosting
Avatar for Kyle Willett

About the Author: Kyle Willett

Kyle Willett is a Nexcess Data Center Technician Level 1.

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article